netwire | 4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2

General

Target

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe
Size

491KB
MD5

1fc09dd624c462ec94c4e14fff3d0cfc
SHA1

4ec944ff2255fbf6d0519daf04460c7db83e5737
SHA256

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2
SHA512

38272e663a7132dd2ae7dbf0f10a33268caacf1c2827f4e5b26b7cf79fec45226c15c333fe515772e637ef0b4ad4021be0e80f209a1257cb83adae21c376affb

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1900-67-0x0000000000830000-0x000000000085C000-memory.dmp	netwire
behavioral1/memory/1236-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1236-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1236-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1236-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1236-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1236-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1236-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description	pid	process	target process
PID 1900 set thread context of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

pid	process
1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe
1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description pid process

Token: SeDebugPrivilege 1900 4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description	pid	process
Token: SeDebugPrivilege	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.execsc.exe

description	pid	process	target process
PID 1900 wrote to memory of 2040	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 1900 wrote to memory of 2040	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 1900 wrote to memory of 2040	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 1900 wrote to memory of 2040	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 2040 wrote to memory of 1360	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 1360	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 1360	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 1360	2040	csc.exe	cvtres.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 1900 wrote to memory of 1236	1900	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe
"C:\Users\Admin\AppData\Local\Temp\4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5hnszq3d\5hnszq3d.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ECF.tmp" "c:\Users\Admin\AppData\Local\Temp\5hnszq3d\CSC24092C17B1994AF2B6F19A1BDA4D57B.TMP"
3⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5hnszq3d\5hnszq3d.dll

Filesize
19KB

MD5
55cf39490f226c829ea201429af15011

SHA1
e59caefcd6101d3f6d9fa0bed63dc2c672a97bb3

SHA256
fb95c41116377eab4e2221cc700cc0c59e809f48172572959cc62b6ed91a1e01

SHA512
abc596014e050e0f4a01d355f996c5ab402b700782b3b148cc781ecd2b5fed9fcbf3d524b7a6df673b46edf25b783b074f4583ac0b1ccb8c46068647fa4e5577

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hnszq3d\5hnszq3d.pdb

Filesize
65KB

MD5
b978a1808b1e0507e7231b3ebfe484c8

SHA1
841ff162e23be1c37f348f4e09205a960a016e62

SHA256
0e7a0fb6c777910f19fe34030dc373a6f20de7420bbbfc5510b0b00098b16c63

SHA512
4e56c5fd70eaabf3a7fdc7b61b91a3c15ffe8b7ff569c554d41da590746aec6afd5a12774878a08483d0e186c0042a9f8a4696caa8fc2db2e94a2dcb09ab7bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2ECF.tmp

Filesize
1KB

MD5
56e08a2ca930fe8c529425f9df8d978c

SHA1
60e2b7c76d7632acd349c858283fd9fea69e346c

SHA256
392ce3e0b804ccc004f464a8b01ec55c4e3af12b9454e9029491600ae993a5af

SHA512
338c9edfcac13583cc0ffaa2fe3473bb177bf2dbd118ed9f89a343a002a1d785de4222ed734a580af998e61bd0494f569db0e01e51b75425f31826792a302336

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5hnszq3d\5hnszq3d.0.cs

Filesize
44KB

MD5
0642f7e939b978b5ddea46176023511c

SHA1
6df689b9698544104bf66a9887edb0ec24a013d1

SHA256
e18cfd933eaf6f3924dcc34be49f75f7acd73842976733c0672a8ab3510b091e

SHA512
35d3a5147f0c5a515bba5dadfd59e41a2ca7ba27e6255fbcac53e968c9d0d853e8204eda08a4ea027979adc34f95cd73dad2700b6e65f4e772f4c20d4f50e939

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5hnszq3d\5hnszq3d.cmdline

Filesize
312B

MD5
f38fb2905b4de8bef86e017361b79cd6

SHA1
389f28f5623b5cd467b8c86f5dc39c77fec6902a

SHA256
a0c45014db2474c693b35081c82059fdc1726232adc47aa69e29fbe0b8692809

SHA512
944b38119d5bd496cce362b888cc56c684ad78a2e6c68453561dd63ee04585a5b5fe08e2379c6d29b918a5c45aebc6a55ea51638813d08b3955a298e38bc8543

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5hnszq3d\CSC24092C17B1994AF2B6F19A1BDA4D57B.TMP

Filesize
1KB

MD5
02e6dd7f5b665c238af02741b9cf9066

SHA1
fdebc4706bb632a81d56044fa29d439e7963aec0

SHA256
95df8587bee9ff75faa98ff64f7a0aaf0e84f9da70a959ed021ef4f09a2a2f0a

SHA512
2be760ff039a281c560b53e468e70e144387f7ac5a0109662a93834c9ee202a57c934baaf23169cb068046dc62d8a8ef177bb2ea5f07476b6a060fd8cfd48eb2

Download Submit
memory/1236-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-78-0x0000000000402BCB-mapping.dmp

Download
memory/1236-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1236-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1360-58-0x0000000000000000-mapping.dmp

Download
memory/1900-67-0x0000000000830000-0x000000000085C000-memory.dmp

Filesize
176KB

Download
memory/1900-66-0x0000000075CB1000-0x0000000075CB3000-memory.dmp

Filesize
8KB

Download
memory/1900-54-0x0000000000100000-0x0000000000180000-memory.dmp

Filesize
512KB

Download
memory/1900-65-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/1900-64-0x00000000005E0000-0x0000000000612000-memory.dmp

Filesize
200KB

Download
memory/1900-63-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2040-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads